Text

Richard Mogavero Director, Incident Preparedness Technical & Regulatory Services Phone: 202.739.8174 Email: rm@nei.org June 14, 2024 Mr. Mario Fernandez Chief (Acting), Cyber Security Branch Division of Physical and Cyber Security Policy Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

Proposed Changes to Inspection Procedure (IP) 71130.10, Cybersecurity Project Number: 689

Dear Mr. Fernandez,

On behalf of the nuclear industry, the Nuclear Energy Institute (NEI)1 appreciates ongoing efforts by the Nuclear Regulatory Commission (NRC) staff to modernize the cyber security baseline inspection program for commercial nuclear power reactors. We value improvements that are aligned with the NRCs Principles of Good Regulation and enhance the effectiveness and efficiency for both licensees and the NRC. This letter provides industry perspectives on the NRC staffs current proposal and recommends a new option for NRC staff consideration.

During a May 7, 2024, public meeting, the NRC staff proposed six options developed by a working group representing all four NRC regions. Currently, the inspection program is conducted once every two years with 70 direct inspection hours, conducted over a one-week period, with a complement of two NRC inspectors and two contractors. The NRC staff stated in the May 7 meeting that changes to the inspection procedure are needed principally because, Completing biennial cybersecurity inspections in one-week onsite has been challenging for the NRC and the industry.2 To address this challenge, the NRC staff proposed to increase the inspection duration to three weeks but reduce the inspection team to two NRC inspectors and one contractor, and the inspection frequency to once every three years.

1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

2 Slides for May 7, 2024 public meeting. Agencywide Documents Access and Management System (ADAMS) accession number ML24127A004.

Mr. Mario Fernandez June 14, 2024 Page 2 Nuclear Energy Institute The industry has evaluated the inspection data and has found, contrary to the NRC staffs statement, that recent inspections have been completed within the one-week timeframe. Further, several inspection procedures for programs of similar complexity to the cybersecurity program are conducted on a triennial basis with roughly 35 hours4.050926e-4 days <br />0.00972 hours <br />5.787037e-5 weeks <br />1.33175e-5 months <br /> of direct inspection. Finally, a review of the eleven-year cyber security inspection history reveals only one finding of low to moderate security significance.

The industry proposes that the NRC consider a triennial, one-week inspection with 35 direct inspection hours, and a complement of one inspector.

This proposed option can be achieved by reviewing cybersecurity inspections that have been completed within the budgeted inspection range and reviewing the request for information to identify efficiency opportunities. We believe this proposal is further achievable considering new guidance from Inspection Manual Chapter (IMC) 0612, Appendix E (with the added examples of Minor / More-than-Minor), the reductions in the number of direct Critical Digital Assets (CDAs) afforded by updates made to NEI 10-04 Revision 3, Identifying Systems and Assets Subject to the Cyber Security Rule, and efficiencies gained through implementation NEI 13-10 Revision 7, Cyber Security Control Assessments.

The industry requests the NRC consider the option proposed in this letter as it seeks to improve cyber security program inspections. If you have any questions on the option described in this letter, please contact me at rm@nei.org or (202) 739-8174.

Sincerely, Rich Mogavero Director, Incident Preparedness C:

NRC Document Control Desk